config

package
v1.9.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 13, 2025 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package config contains all knobs and defaults used to configure features of OpenFGA when running as a standalone server.

Index

Constants

View Source 
const (
	DefaultMaxRPCMessageSizeInBytes         = 512 * 1_204 // 512 KB
	DefaultMaxTuplesPerWrite                = 100
	DefaultMaxTypesPerAuthorizationModel    = 100
	DefaultMaxAuthorizationModelSizeInBytes = 256 * 1_024
	DefaultMaxAuthorizationModelCacheSize   = 100000
	DefaultChangelogHorizonOffset           = 0
	DefaultResolveNodeLimit                 = 25
	DefaultResolveNodeBreadthLimit          = 10
	DefaultUsersetBatchSize                 = 1000
	DefaultListObjectsDeadline              = 3 * time.Second
	DefaultListObjectsMaxResults            = 1000
	DefaultMaxConcurrentReadsForCheck       = math.MaxUint32
	DefaultMaxConcurrentReadsForListObjects = math.MaxUint32
	DefaultListUsersDeadline                = 3 * time.Second
	DefaultListUsersMaxResults              = 1000
	DefaultMaxConcurrentReadsForListUsers   = math.MaxUint32

	DefaultWriteContextByteLimit = 32 * 1_024 // 32KB

	DefaultCheckCacheLimit = 10000

	DefaultCacheControllerEnabled = false
	DefaultCacheControllerTTL     = 10 * time.Second

	DefaultCheckQueryCacheEnabled = false
	DefaultCheckQueryCacheTTL     = 10 * time.Second

	DefaultShadowCheckCacheEnabled = false

	DefaultCheckIteratorCacheEnabled    = false
	DefaultCheckIteratorCacheMaxResults = 10000
	DefaultCheckIteratorCacheTTL        = 10 * time.Second

	DefaultListObjectsIteratorCacheEnabled    = false
	DefaultListObjectsIteratorCacheMaxResults = 10000
	DefaultListObjectsIteratorCacheTTL        = 10 * time.Second

	DefaultListObjectsOptimizationsEnabled = false

	DefaultCacheControllerConfigEnabled = false
	DefaultCacheControllerConfigTTL     = 10 * time.Second

	DefaultShadowCheckResolverEnabled  = false
	DefaultShadowCheckSamplePercentage = 10
	DefaultShadowCheckResolverTimeout  = 1 * time.Second

	DefaultShadowListObjectsCheckResolverEnabled  = false
	DefaultShadowListObjectsCheckSamplePercentage = 10
	DefaultShadowListObjectsCheckResolverTimeout  = 1 * time.Second

	DefaultShadowListObjectsQueryEnabled          = false
	DefaultShadowListObjectsQuerySamplePercentage = 10
	DefaultShadowListObjectsQueryTimeout          = 1 * time.Second
	DefaultShadowListObjectsQueryMaxDeltaItems    = 100

	// Care should be taken here - decreasing can cause API compatibility problems with Conditions.
	DefaultMaxConditionEvaluationCost = 100
	DefaultInterruptCheckFrequency    = 100

	DefaultCheckDispatchThrottlingEnabled          = false
	DefaultCheckDispatchThrottlingFrequency        = 10 * time.Microsecond
	DefaultCheckDispatchThrottlingDefaultThreshold = 100
	DefaultCheckDispatchThrottlingMaxThreshold     = 0 // 0 means use the default threshold as max

	// Batch Check.
	DefaultMaxChecksPerBatchCheck           = 50
	DefaultMaxConcurrentChecksPerBatchCheck = 50

	DefaultListObjectsDispatchThrottlingEnabled          = false
	DefaultListObjectsDispatchThrottlingFrequency        = 10 * time.Microsecond
	DefaultListObjectsDispatchThrottlingDefaultThreshold = 100
	DefaultListObjectsDispatchThrottlingMaxThreshold     = 0 // 0 means use the default threshold as max

	DefaultListUsersDispatchThrottlingEnabled          = false
	DefaultListUsersDispatchThrottlingFrequency        = 10 * time.Microsecond
	DefaultListUsersDispatchThrottlingDefaultThreshold = 100
	DefaultListUsersDispatchThrottlingMaxThreshold     = 0 // 0 means use the default threshold as max

	DefaultRequestTimeout = 3 * time.Second

	DefaultSharedIteratorEnabled          = false
	DefaultSharedIteratorLimit            = 1000000
	DefaultSharedIteratorTTL              = 4 * time.Minute
	DefaultSharedIteratorMaxAdmissionTime = 10 * time.Second
	DefaultSharedIteratorMaxIdleTime      = 1 * time.Second
)

Variables

This section is empty.

Functions

func DefaultContextTimeout 

func DefaultContextTimeout(config *Config) time.Duration

DefaultContextTimeout returns the runtime DefaultContextTimeout. If requestTimeout > 0, we should let the middleware take care of the timeout and the runtime.DefaultContextTimeout is used as last resort. Otherwise, use the http upstream timeout if http is enabled.

func MaxConditionEvaluationCost 

func MaxConditionEvaluationCost() uint64

MaxConditionEvaluationCost ensures a safe value for CEL evaluation cost.

Types

type AccessControlConfig 

type AccessControlConfig struct {
	Enabled bool
	StoreID string
	ModelID string
}

AccessControlConfig is the configuration for the access control feature.

type AuthnConfig 

type AuthnConfig struct {

	// Method is the authentication method that should be enforced (e.g. 'none', 'preshared',
	// 'oidc')
	Method                   string
	*AuthnOIDCConfig         `mapstructure:"oidc"`
	*AuthnPresharedKeyConfig `mapstructure:"preshared"`
}

AuthnConfig defines OpenFGA server configurations for authentication specific settings.

type AuthnOIDCConfig 

type AuthnOIDCConfig struct {
	Issuer         string
	IssuerAliases  []string
	Subjects       []string
	Audience       string
	ClientIDClaims []string
}

AuthnOIDCConfig defines configurations for the 'oidc' method of authentication.

type AuthnPresharedKeyConfig 

type AuthnPresharedKeyConfig struct {
	// Keys define the preshared keys to verify authn tokens against.
	Keys []string `json:"-"` // private field, won't be logged
}

AuthnPresharedKeyConfig defines configurations for the 'preshared' method of authentication.

type CacheControllerConfig 

type CacheControllerConfig struct {
	Enabled bool
	TTL     time.Duration
}

CacheControllerConfig defines configuration to manage cache invalidation dynamically by observing whether there are recent tuple changes to specified store.

type CacheSettings 

type CacheSettings struct {
	CheckCacheLimit                    uint32
	CacheControllerEnabled             bool
	CacheControllerTTL                 time.Duration
	CheckQueryCacheEnabled             bool
	CheckQueryCacheTTL                 time.Duration
	CheckIteratorCacheEnabled          bool
	CheckIteratorCacheMaxResults       uint32
	CheckIteratorCacheTTL              time.Duration
	ListObjectsIteratorCacheEnabled    bool
	ListObjectsIteratorCacheMaxResults uint32
	ListObjectsIteratorCacheTTL        time.Duration
	SharedIteratorEnabled              bool
	SharedIteratorLimit                uint32
	SharedIteratorTTL                  time.Duration
	ShadowCheckCacheEnabled            bool
}

func NewDefaultCacheSettings 

func NewDefaultCacheSettings() CacheSettings

func (CacheSettings) ShouldCacheCheckIterators 

func (c CacheSettings) ShouldCacheCheckIterators() bool

func (CacheSettings) ShouldCacheCheckQueries 

func (c CacheSettings) ShouldCacheCheckQueries() bool

func (CacheSettings) ShouldCacheListObjectsIterators 

func (c CacheSettings) ShouldCacheListObjectsIterators() bool

func (CacheSettings) ShouldCreateCacheController 

func (c CacheSettings) ShouldCreateCacheController() bool

func (CacheSettings) ShouldCreateNewCache 

func (c CacheSettings) ShouldCreateNewCache() bool

func (CacheSettings) ShouldCreateShadowCacheController added in v1.9.2 

func (c CacheSettings) ShouldCreateShadowCacheController() bool

ShouldCreateShadowCacheController determines if a new shadow cache controller should be created. A shadow cache controller is created if the ShadowCheckCache is enabled and the cache controller is enabled.

func (CacheSettings) ShouldCreateShadowNewCache added in v1.9.2 

func (c CacheSettings) ShouldCreateShadowNewCache() bool

func (CacheSettings) ShouldShadowCacheListObjectsIterators added in v1.9.2 

func (c CacheSettings) ShouldShadowCacheListObjectsIterators() bool

ShouldShadowCacheListObjectsIterators returns true if a new shadow cache for list objects iterators should be created. A shadow cache for list objects iterators is created if the ShadowCheckCache is enabled and list objects iterators caching is enabled.

type CheckCacheConfig 

type CheckCacheConfig struct {
	Limit uint32
}

CheckCacheConfig defines configuration for a cache that is shared across Check requests.

type CheckQueryCache 

type CheckQueryCache struct {
	Enabled bool
	TTL     time.Duration
}

CheckQueryCache defines configuration for caching when resolving check.

type Config 

type Config struct {

	// ListObjectsDeadline defines the maximum amount of time to accumulate ListObjects results
	// before the server will respond. This is to protect the server from misuse of the
	// ListObjects endpoints. It cannot be larger than HTTPConfig.UpstreamTimeout.
	ListObjectsDeadline time.Duration

	// ListObjectsMaxResults defines the maximum number of results to accumulate
	// before the non-streaming ListObjects API will respond to the client.
	// This is to protect the server from misuse of the ListObjects endpoints.
	ListObjectsMaxResults uint32

	// ListUsersDeadline defines the maximum amount of time to accumulate ListUsers results
	// before the server will respond. This is to protect the server from misuse of the
	// ListUsers endpoints. It cannot be larger than the configured server's request timeout (RequestTimeout or HTTPConfig.UpstreamTimeout).
	ListUsersDeadline time.Duration

	// ListUsersMaxResults defines the maximum number of results to accumulate
	// before the non-streaming ListUsers API will respond to the client.
	// This is to protect the server from misuse of the ListUsers endpoints.
	ListUsersMaxResults uint32

	// MaxTuplesPerWrite defines the maximum number of tuples per Write endpoint.
	MaxTuplesPerWrite int

	// MaxChecksPerBatchCheck defines the maximum number of tuples
	// that can be passed in each BatchCheck request.
	MaxChecksPerBatchCheck uint32

	// MaxConcurrentChecksPerBatchCheck defines the maximum number of checks
	// that can be run in simultaneously
	MaxConcurrentChecksPerBatchCheck uint32

	// MaxTypesPerAuthorizationModel defines the maximum number of type definitions per
	// authorization model for the WriteAuthorizationModel endpoint.
	MaxTypesPerAuthorizationModel int

	// MaxAuthorizationModelSizeInBytes defines the maximum size in bytes allowed for
	// persisting an Authorization Model.
	MaxAuthorizationModelSizeInBytes int

	// MaxConcurrentReadsForListObjects defines the maximum number of concurrent database reads
	// allowed in ListObjects queries
	MaxConcurrentReadsForListObjects uint32

	// MaxConcurrentReadsForCheck defines the maximum number of concurrent database reads allowed in
	// Check queries
	MaxConcurrentReadsForCheck uint32

	// MaxConcurrentReadsForListUsers defines the maximum number of concurrent database reads
	// allowed in ListUsers queries
	MaxConcurrentReadsForListUsers uint32

	// MaxConditionEvaluationCost defines the maximum cost for CEL condition evaluation before a request returns an error
	MaxConditionEvaluationCost uint64

	// ChangelogHorizonOffset is an offset in minutes from the current time. Changes that occur
	// after this offset will not be included in the response of ReadChanges.
	ChangelogHorizonOffset int

	// Experimentals is a list of the experimental features to enable in the OpenFGA server.
	Experimentals []string

	// AccessControl is the configuration for the access control feature.
	AccessControl AccessControlConfig

	// ResolveNodeLimit indicates how deeply nested an authorization model can be before a query
	// errors out.
	ResolveNodeLimit uint32

	// ResolveNodeBreadthLimit indicates how many nodes on a given level can be evaluated
	// concurrently in a query
	ResolveNodeBreadthLimit uint32

	// RequestTimeout configures request timeout.  If both HTTP upstream timeout and request timeout are specified,
	// request timeout will be prioritized
	RequestTimeout time.Duration

	// ContextPropagationToDatastore enables propagation of a requests context to the datastore,
	// thereby receiving API cancellation signals
	ContextPropagationToDatastore bool

	Datastore                     DatastoreConfig
	GRPC                          GRPCConfig
	HTTP                          HTTPConfig
	Authn                         AuthnConfig
	Log                           LogConfig
	Trace                         TraceConfig
	Playground                    PlaygroundConfig
	Profiler                      ProfilerConfig
	Metrics                       MetricConfig
	CheckCache                    CheckCacheConfig
	CheckIteratorCache            IteratorCacheConfig
	CheckQueryCache               CheckQueryCache
	CacheController               CacheControllerConfig
	CheckDispatchThrottling       DispatchThrottlingConfig
	ListObjectsDispatchThrottling DispatchThrottlingConfig
	ListUsersDispatchThrottling   DispatchThrottlingConfig
	CheckDatabaseThrottle         DatabaseThrottleConfig
	ListObjectsDatabaseThrottle   DatabaseThrottleConfig
	ListUsersDatabaseThrottle     DatabaseThrottleConfig
	ListObjectsIteratorCache      IteratorCacheConfig
	SharedIterator                SharedIteratorConfig

	RequestDurationDatastoreQueryCountBuckets []string
	RequestDurationDispatchCountBuckets       []string
}

func DefaultConfig 

func DefaultConfig() *Config

DefaultConfig is the OpenFGA server default configurations.

func MustDefaultConfig 

func MustDefaultConfig() *Config

MustDefaultConfig returns default server config with the playground, tracing and metrics turned off.

func (*Config) Verify 

func (cfg *Config) Verify() error

func (*Config) VerifyBinarySettings 

func (cfg *Config) VerifyBinarySettings() error

func (*Config) VerifyDatabaseThrottlesConfig added in v1.8.13 

func (cfg *Config) VerifyDatabaseThrottlesConfig() error

VerifyDatabaseThrottlesConfig ensures VerifyDatabaseThrottlesConfig is called so that the right values are verified.

func (*Config) VerifyDispatchThrottlingConfig added in v1.8.13 

func (cfg *Config) VerifyDispatchThrottlingConfig() error

VerifyDispatchThrottlingConfig ensures DispatchThrottlingConfigs are valid.

func (*Config) VerifyServerSettings 

func (cfg *Config) VerifyServerSettings() error

type DatabaseThrottleConfig added in v1.8.13 

type DatabaseThrottleConfig struct {
	Enabled   bool
	Threshold int
	Duration  time.Duration
}

DatabaseThrottleConfig defines configurations for database throttling.

type DatastoreConfig 

type DatastoreConfig struct {
	// Engine is the datastore engine to use (e.g. 'memory', 'postgres', 'mysql', 'sqlite')
	Engine            string
	URI               string `json:"-"` // private field, won't be logged
	SecondaryURI      string `json:"-"` // private field, won't be logged
	Username          string
	Password          string `json:"-"` // private field, won't be logged
	SecondaryUsername string
	SecondaryPassword string `json:"-"` // private field, won't be logged

	// MaxCacheSize is the maximum number of authorization models that will be cached in memory.
	MaxCacheSize int

	// MaxOpenConns is the maximum number of open connections to the database.
	MaxOpenConns int

	// MaxIdleConns is the maximum number of connections to the datastore in the idle connection
	// pool.
	MaxIdleConns int

	// ConnMaxIdleTime is the maximum amount of time a connection to the datastore may be idle.
	ConnMaxIdleTime time.Duration

	// ConnMaxLifetime is the maximum amount of time a connection to the datastore may be reused.
	ConnMaxLifetime time.Duration

	// Metrics is configuration for the Datastore metrics.
	Metrics DatastoreMetricsConfig
}

DatastoreConfig defines OpenFGA server configurations for datastore specific settings.

type DatastoreMetricsConfig 

type DatastoreMetricsConfig struct {
	// Enabled enables export of the Datastore metrics.
	Enabled bool
}

type DispatchThrottlingConfig 

type DispatchThrottlingConfig struct {
	Enabled      bool
	Frequency    time.Duration
	Threshold    uint32
	MaxThreshold uint32
}

DispatchThrottlingConfig defines configurations for dispatch throttling.

type GRPCConfig 

type GRPCConfig struct {
	Addr string
	TLS  *TLSConfig
}

GRPCConfig defines OpenFGA server configurations for grpc server specific settings.

type HTTPConfig 

type HTTPConfig struct {
	Enabled bool
	Addr    string
	TLS     *TLSConfig

	// UpstreamTimeout is the timeout duration for proxying HTTP requests upstream
	// to the grpc endpoint. It cannot be smaller than Config.ListObjectsDeadline.
	UpstreamTimeout time.Duration

	CORSAllowedOrigins []string
	CORSAllowedHeaders []string
}

HTTPConfig defines OpenFGA server configurations for HTTP server specific settings.

type IteratorCacheConfig 

type IteratorCacheConfig struct {
	Enabled    bool
	MaxResults uint32
	TTL        time.Duration
}

IteratorCacheConfig defines configuration to cache storage iterator results.

type LogConfig 

type LogConfig struct {
	// Format is the log format to use in the log output (e.g. 'text' or 'json')
	Format string

	// Level is the log level to use in the log output (e.g. 'none', 'debug', or 'info')
	Level string

	// Format of the timestamp in the log output (e.g. 'Unix'(default) or 'ISO8601')
	TimestampFormat string
}

LogConfig defines OpenFGA server configurations for log specific settings. For production, we recommend using the 'json' log format.

type MetricConfig 

type MetricConfig struct {
	Enabled             bool
	Addr                string
	EnableRPCHistograms bool
}

MetricConfig defines configurations for serving custom metrics from OpenFGA.

type OTLPTraceConfig 

type OTLPTraceConfig struct {
	Endpoint string
	TLS      OTLPTraceTLSConfig
}

type OTLPTraceTLSConfig 

type OTLPTraceTLSConfig struct {
	Enabled bool
}

type PlaygroundConfig 

type PlaygroundConfig struct {
	Enabled bool
	Port    int
}

PlaygroundConfig defines OpenFGA server configurations for the Playground specific settings.

type ProfilerConfig 

type ProfilerConfig struct {
	Enabled bool
	Addr    string
}

ProfilerConfig defines server configurations specific to pprof profiling.

type SharedIteratorConfig added in v1.8.12 

type SharedIteratorConfig struct {
	Enabled bool
	Limit   uint32
}

SharedIteratorConfig defines configuration to share storage iterator.

type TLSConfig 

type TLSConfig struct {
	Enabled  bool
	CertPath string `mapstructure:"cert"`
	KeyPath  string `mapstructure:"key"`
}

TLSConfig defines configuration specific to Transport Layer Security (TLS) settings.

type TraceConfig 

type TraceConfig struct {
	Enabled     bool
	OTLP        OTLPTraceConfig `mapstructure:"otlp"`
	SampleRatio float64
	ServiceName string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.